Total CVEs

141,249

Critical Severity

3,795

High Severity

13,708

Last 7 Days

2,216
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 8,161 - 8,180 of 13,819 CVEs
CVE-2026-34362 MEDIUM - 5.4

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `verifyTokenSocket()` function in `plugin/YPTSocket/functions.php` has its token timeout validation commented out, causing WebSocket tokens to never expire despite being generated with a 12-hour timeout. This all...

Vendor: WWBN
Product: AVideo
Published: Mar 27, 2026
Source: NVD
CVE-2026-34247 MEDIUM - 5.4

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Live/uploadPoster.php` endpoint allows any authenticated user to overwrite the poster image for any scheduled live stream by supplying an arbitrary `live_schedule_id`. The endpoint only checks `User::isLo...

Vendor: WWBN
Product: AVideo
Published: Mar 27, 2026
Source: NVD
CVE-2026-34245 MEDIUM - 6.3

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/PlayLists/View/Playlists_schedules/add.json.php` endpoint allows any authenticated user with streaming permission to create or modify broadcast schedules targeting any playlist on the platform, regardless...

Vendor: WWBN
Product: AVideo
Published: Mar 27, 2026
Source: NVD
CVE-2026-30571 MEDIUM - 6.1

A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0 in the view_category.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted ...

Vendor: ahsanriaz26gmailcom
Product: inventory_system
Published: Mar 27, 2026
Source: NVD
CVE-2026-30570 MEDIUM - 6.1

A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0 in the view_sales.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL

Vendor: ahsanriaz26gmailcom
Product: inventory_system
Published: Mar 27, 2026
Source: NVD
CVE-2026-30569 MEDIUM - 6.1

A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the view_stock_availability.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arb...

Vendor: ahsanriaz26gmailcom
Product: inventory_system
Published: Mar 27, 2026
Source: NVD
CVE-2025-15616 MEDIUM - 6.7

Wazuh wazuh-agent and wazuh-manager versions 2.1.0 before 4.8.0 contain multiple shell injection and untrusted search path vulnerabilities that allow attackers to execute arbitrary commands through various components including logcollector configuration, maild SMTP server tags, and Kaspersky AR scri...

Vendor: Wazuh
Product: wazuh-agent, wazuh-manager
Published: Mar 27, 2026
Source: NVD
CVE-2025-15615 MEDIUM - 5.8

Wazuh Manager authd service in wazuh-manager packages through version 4.7.3 contains an improper restriction of client-initiated SSL/TLS renegotiation vulnerability that allows remote attackers to cause a denial of service by sending excessive renegotiation requests. Attackers can exploit the lack o...

Vendor: Wazuh
Product: wazuh-manager
Published: Mar 27, 2026
Source: NVD
CVE-2026-32983 MEDIUM - 5.8

Wazuh Manager authd service in wazuh-manager packages through version 4.7.3 contains an improper restriction of client-initiated SSL/TLS renegotiation vulnerability that allows remote attackers to cause a denial of service by sending excessive renegotiation requests. Attackers can exploit the lack o...

Vendor: Wazuh
Product: wazuh-manager
Published: Mar 27, 2026
Source: NVD
CVE-2026-30527 MEDIUM - 5.4

A Stored Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Category management module within the admin panel. The application fails to properly sanitize user input supplied to the "Category Name" field when creating or updating a cate...

Vendor: oretnom23
Product: online_food_ordering_system
Published: Mar 27, 2026
Source: NVD
CVE-2026-33936 MEDIUM - 5.3

The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Prior to version 0.19.2, an issue in the low-...

Vendor: pip
Product: ecdsa
Published: Mar 27, 2026
Source: GitHub
CVE-2026-5025 MEDIUM - 6.5

The '/logs' and '/logs-stream' endpoints in the log router allow any authenticated user to read the full application log buffer. These endpoints only require basic authentication ('get_current_active_user') without any privilege checks (e.g., 'is_superuser').

Published: Mar 27, 2026
Source: NVD
CVE-2026-4980 MEDIUM - 6.3

A local file disclosure vulnerability in the XInclude processing component of Inkscape 1.1 before 1.3 allows a remote attacker to read local files via a crafted SVG file containing malicious xi:include tags.

Published: Mar 27, 2026
Source: NVD
CVE-2026-4954 MEDIUM - 6.3

A security vulnerability has been detected in mingSoft MCMS up to 5.5.0. Impacted is the function list of the file net/mingsoft/cms/action/web/ContentAction.java of the component Web Content List Endpoint. The manipulation leads to sql injection. The attack can be initiated remotely. The exploit has...

Published: Mar 27, 2026
Source: NVD
CVE-2026-33433 MEDIUM - 8.8

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.42, 3.6.11, and 3.7.0-ea.3, when `headerField` is configured with a non-canonical HTTP header name (e.g., `x-auth-user` instead of `X-Auth-User`), an authenticated attacker can inject their own canonical version of that heade...

Vendor: traefik
Product: traefik
Published: Mar 27, 2026
Source: NVD
CVE-2026-33206 MEDIUM - 6.3

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a path traversal vulnerability exists in Calibre' handling of images in Markdown and other similar text-based files allowing an attacker to include arbitrary files from t...

Vendor: kovidgoyal
Product: calibre
Published: Mar 27, 2026
Source: NVD
CVE-2026-33205 MEDIUM - 5.5

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a Server-Side Request Forgery vulnerability in the background-image endpoint of calibre e-book reader's web view allows an attacker to perform blind GET requests to arbit...

Vendor: kovidgoyal
Product: calibre
Published: Mar 27, 2026
Source: NVD
CVE-2026-28375 MEDIUM - 6.5

A testdata data-source can be used to trigger out-of-memory crashes in Grafana.

Vendor: Grafana
Product: Grafana
Published: Mar 27, 2026
Source: NVD
CVE-2026-27879 MEDIUM - 6.5

A resample query can be used to trigger out-of-memory crashes in Grafana.

Vendor: Grafana
Product: Grafana
Published: Mar 27, 2026
Source: NVD
CVE-2026-27877 MEDIUM - 6.5

When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improv...

Vendor: Grafana
Product: Grafana
Published: Mar 27, 2026
Source: NVD